A fatal program and solution for beginner ASP programming

zhaozj2021-02-16  148

In ASP programming, identity authentication can be said to be used. But how can I do certification security? Example: Form Submit Page: Sub.htm Administrator Login </ Title> <body> <form name = "form1" method = "post" action = "sub.asp"> <P > Administrator: <Input Type = "TEX" name = "userid" size = "25" maxlength = "20"> password: <input type = "Name =" size = "12" maxlength = "20 > <input type = "submit" name = "submit" value = "Submit"> </ p> </ form> </ body> </ html></p> <p>Sub.asp program <% received data user = request.from ("userid") The data submitted by the checklist is empty (the form page may be controlled with JavaScript or Vbscript, but not forget the control here! IF user = "" THEN Go to the error prompt page! Response.Redirect "err1.htm" This sentence may be useless, but with good! Response.end end if pass = request.from ("pass") if pass = "" Then Response.Redirect "Err2.htm" response.end endiff connection database file = server.mappath ("Your Database) SET CONN = Server.createObject (" AdoDb.Connection ") DR =" Driver = {Microsoft Access Driver (* .mdb)}; DBQ = "& file conn.open dr set = server.createObject (" adodb.recordset ") The key is the SQL language SQL =" SELECT * FROM table where user = "& user &" and pass = "& Pass &" "RS.Open SQL if Not rs.eof dam found, enter the management page reponse.Redirect" login.asp "ELSE did not find it to enter the error page response.write" Err3.htm "End IF%> everyone feels above The code should have no problem, but there is a serious security risks: I want to enter the administrator if I want to log in to the administrator, enter: A or 1 = 1 or OR = III Enter: a or 1 = 1 or OR = Submit, everyone will see ... "Hey, listen to me is good, bricks will be lost again ..." "A" and "1 "Some people who will ask for any character will enter these characters to enter the administrator. What these characters are deceived for SQL language in your program, and everyone who successfully enters: Start program SQL is a table Records for USER = "& User &" and pass = "& pass" "condition SQL =" SELECT * FROM table where User = "& user &" and pass = "& pass" "I entered the code above the code: SQL =" SELECT * FROM table where user = a or 1 = 1 and pass = a or 1 = 1 "everyone to see Can you have a reason not to enter? ? Give me a reason that doesn't enter, first! The above User Pass field is the same as the character pattern!</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-8332.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="8332" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.056</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'cnUfkB92CR8nc27HoqO3QO34Ha8ls1vRRw1P69oCXf1i2Ws6YWKDOfgUd_2FrzOtvFtlCggrYbkvEL1MAyOtnhxQ_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>